Skip to main content

Organization Chart EUVDEUVD-2026-31742

| CVE-2026-24597 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-25 Patchstack GHSA-q9c3-882w-3gm6
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:48 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery.

This issue affects Organization chart: from n/a through 1.7.5.

AnalysisAI

Cross-Site Request Forgery in WpDevArt's Organization Chart WordPress plugin (all versions through 1.7.5) enables remote unauthenticated attackers to perform unauthorized state-changing actions against the plugin by tricking an authenticated WordPress user into interacting with a crafted request. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that while no authentication or elevated complexity is required on the attacker's side, exploitation is gated by mandatory victim interaction, limiting realistic impact to integrity modifications only. No public exploit code exists and no active exploitation has been identified; EPSS score of 0.01% (3rd percentile) and SSVC exploitation status of 'none' collectively indicate low real-world threat at time of analysis.

Technical ContextAI

The affected component is the WpDevArt Organization Chart WordPress plugin, identified by CPE cpe:2.3:a:wpdevart:organization_chart:*:*:*:*:*:*:*:* across all versions up to and including 1.7.5. The root cause is CWE-352 (Cross-Site Request Forgery), a class of vulnerability arising when a web application fails to verify that HTTP requests originate from the authenticated user's own session - typically due to absent or improperly validated WordPress nonces or CSRF tokens on plugin admin endpoints. In the WordPress context, this commonly affects AJAX handlers or form submission endpoints that modify plugin-managed data (such as organization chart structures) without confirming request legitimacy. An attacker can exploit this by embedding a forged HTTP request in an external resource that a logged-in user is socially engineered to load.

RemediationAI

The primary remediation is to update the WpDevArt Organization Chart plugin beyond version 1.7.5; however, an exact patched release version is not confirmed in the available data - site operators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/organization-chart/vulnerability/wordpress-organization-chart-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability for the latest fixed release. As a compensating control where patching is not immediately possible, administrators can restrict access to the WordPress admin dashboard using IP allowlisting (e.g., via .htaccess or server-level firewall rules), which eliminates the attack surface by preventing forged requests from unauthorized origins from reaching authenticated sessions. Additionally, enforcing strict Content Security Policy headers and SameSite=Strict cookie attributes at the server or WAF layer can block cross-origin request submission, though this may require application-level testing to avoid breaking legitimate functionality. Disabling the plugin entirely until a patched version is confirmed available is also a low-risk option given the plugin's non-critical nature.

Share

EUVD-2026-31742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy